-
AWS SQS input not receiving/sending all region messages to Splunk
I recently set up our SQS amazon queue in cribl. Events are forwarding to splunk, however when compared to the pre existing aws logs in Splunk from the Heavyforwarder TA, I noticed we are only pulling in events from only one region via cribl oppose to the 20 actually sending events and being received through the Splunk TA.…
-
What does an "Unsupported op-code 249" mean?
Why do we see this message when using Cribl v4.4.0 with S2S V4 and Splunk forwarder version 9.1.x: { "time": "2023-12-19T15:16:15.549Z", "cid": "w0", "channel": "input:in_splunk_tcp", "level": "error", "message": "closed connection", "src": "10.10.10.10:62453", "error": { "message": "Unsupported op-code 249.", "stack":…
-
Ldap queries for Active Directory Info
Can cribl stream carry out ldap queries to Microsoft AD and then save the AD information in a lookup table or something similar? I want to automate fetching AD information from AD servers and then feeding it to a SIEM like Splunk or Elastic.
-
Adding Splunk Metadata to events
I have an Event with no Splunk Metadata value within the events and i am trying to add new fields such as host, index,source and sourcetype . custom fields and i tried using an eval but no luck, how do i go about this ?
-
Is it possible to disable certificate validation when connecting a Splunk Search Collector?
Hello, we are triying to setup a Splunk Search collector, against an on-prem splunk with a self signed certificate. Is it possible to disable certificate validation?
-
Is there a cribl equivalent to Splunk’s rex mode=sed?
Hi all, Is there a cribl equivalent to Splunk’s rex mode=sed? I’ve tried replace_regex but I kept hitting a brick wall. I’m trying to take a timestamp with an indeterminate number of spaces and replace those spaces with a single space in a pipeline (using ‘eval’ function) Data looks like this: timestamp: “2023-10-03…
-
Collect and Send S3 logs via Cribl to Splunk
Hello All, I'm new to Cribl and basically a Splunk Admin & developer. Been working on Cribl migration project for a while. My requirement is to collect data from a S3 bucket Via Cribl and apply some cool stuffs than send it to Splunk for indexing.Now, I have established the connection with my S3 bucket from Cribl stream.…
-
Handling the missing date_ fields for Splunk Enterprise Security
Splunk Enterprise Security… there's a lot of SPL out there that leverages the date_ fields that the TAs on splunk HFs create when parsing time. How is everyone dealing with lack of these fields, and aliasing to CIM etc by Splunk TAs when leveraging cribl stream?
-
Access Splunk UF meta data
splunk uf internal logs are picked up by a passthru pipeline in cribl. based on index.startsWith('_') for the route filter. That works fine. the problem, i lose all meta information about the splunk ufs. like version and os. Can this be prevented somehow? I just see all the cribl workers and some machines (HF) that are…
-
Config for Splunk Universal Forwarder
Does anyone have a splunk universal forwarder config they typically use for forwarding? Original Question: https://cribl-community.slack.com/archives/CPYBPK65V/p1690293855973699 Original Author: Matt